syncable_cli/analyzer/vulnerability/checkers/

javascript.rs

use std::path::Path;
use std::process::Command;
use log::{info, warn};
use crate::analyzer::dependency_parser::{DependencyInfo, Language};
use crate::analyzer::runtime::{RuntimeDetector, PackageManager};
use crate::analyzer::tool_management::ToolDetector;
use crate::analyzer::vulnerability::{VulnerableDependency, VulnerabilityError, VulnerabilityInfo, VulnerabilitySeverity};
use super::MutableLanguageVulnerabilityChecker;

pub struct JavaScriptVulnerabilityChecker {
    tool_detector: ToolDetector,
}

impl JavaScriptVulnerabilityChecker {
    pub fn new() -> Self {
        Self {
            tool_detector: ToolDetector::new(),
        }
    }
    
    fn execute_audit_for_manager(
        &mut self,
        manager: &PackageManager,
        project_path: &Path,
        dependencies: &[DependencyInfo],
    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
        match manager {
            PackageManager::Bun => self.execute_bun_audit(project_path, dependencies),
            PackageManager::Npm => self.execute_npm_audit(project_path, dependencies),
            PackageManager::Yarn => self.execute_yarn_audit(project_path, dependencies),
            PackageManager::Pnpm => self.execute_pnpm_audit(project_path, dependencies),
            PackageManager::Unknown => Ok(None),
        }
    }
    
    fn execute_bun_audit(
        &mut self,
        project_path: &Path,
        dependencies: &[DependencyInfo],
    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
        // Check if bun is available
        let bun_status = self.tool_detector.detect_tool("bun");
        if !bun_status.available {
            warn!("bun not found, skipping bun audit");
            return Ok(None);
        }
        
        info!("Executing bun audit in {}", project_path.display());
        
        // Execute bun audit --json
        let output = Command::new("bun")
            .args(&["audit", "--json"])
            .current_dir(project_path)
            .output()
            .map_err(|e| VulnerabilityError::CommandError(
                format!("Failed to run bun audit: {}", e)
            ))?;
        
        // bun audit returns non-zero exit code when vulnerabilities found
        // This is expected behavior, not an error
        if !output.status.success() && !output.stdout.is_empty() {
            info!("bun audit completed with findings");
        }
        
        if output.stdout.is_empty() {
            return Ok(None);
        }
        
        // Parse bun audit output
        let audit_data: serde_json::Value = serde_json::from_slice(&output.stdout)
            .map_err(|e| VulnerabilityError::ParseError(
                format!("Failed to parse bun audit output: {}", e)
            ))?;
        
        self.parse_bun_audit_output(&audit_data, dependencies)
    }
    
    fn execute_npm_audit(
        &mut self,
        project_path: &Path,
        dependencies: &[DependencyInfo],
    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
        // Check if npm is available
        let npm_status = self.tool_detector.detect_tool("npm");
        if !npm_status.available {
            warn!("npm not found, skipping npm audit");
            return Ok(None);
        }
        
        info!("Executing npm audit in {}", project_path.display());
        
        // Execute npm audit --json
        let output = Command::new("npm")
            .args(&["audit", "--json"])
            .current_dir(project_path)
            .output()
            .map_err(|e| VulnerabilityError::CommandError(
                format!("Failed to run npm audit: {}", e)
            ))?;
        
        // npm audit returns 0 even when vulnerabilities are found
        // Non-zero exit code indicates an actual error
        if !output.status.success() && output.stdout.is_empty() {
            return Err(VulnerabilityError::CommandError(
                format!("npm audit failed with exit code {}: {}", 
                    output.status.code().unwrap_or(-1),
                    String::from_utf8_lossy(&output.stderr))
            ));
        }
        
        if output.stdout.is_empty() {
            return Ok(None);
        }
        
        // Parse npm audit output
        let audit_data: serde_json::Value = serde_json::from_slice(&output.stdout)
            .map_err(|e| VulnerabilityError::ParseError(
                format!("Failed to parse npm audit output: {}", e)
            ))?;
        
        self.parse_npm_audit_output(&audit_data, dependencies)
    }
    
    fn execute_yarn_audit(
        &mut self,
        project_path: &Path,
        dependencies: &[DependencyInfo],
    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
        // Check if yarn is available
        let yarn_status = self.tool_detector.detect_tool("yarn");
        if !yarn_status.available {
            warn!("yarn not found, skipping yarn audit");
            return Ok(None);
        }
        
        info!("Executing yarn audit in {}", project_path.display());
        
        // Execute yarn audit --json
        let output = Command::new("yarn")
            .args(&["audit", "--json"])
            .current_dir(project_path)
            .output()
            .map_err(|e| VulnerabilityError::CommandError(
                format!("Failed to run yarn audit: {}", e)
            ))?;
        
        // yarn audit behavior: returns 0 even when vulnerabilities are found
        // Non-zero exit code indicates an actual error
        if !output.status.success() && output.stdout.is_empty() {
            return Err(VulnerabilityError::CommandError(
                format!("yarn audit failed with exit code {}: {}", 
                    output.status.code().unwrap_or(-1),
                    String::from_utf8_lossy(&output.stderr))
            ));
        }
        
        if output.stdout.is_empty() {
            return Ok(None);
        }
        
        // Parse yarn audit output
        let audit_data: serde_json::Value = serde_json::from_slice(&output.stdout)
            .map_err(|e| VulnerabilityError::ParseError(
                format!("Failed to parse yarn audit output: {}", e)
            ))?;
        
        self.parse_yarn_audit_output(&audit_data, dependencies)
    }
    
    fn execute_pnpm_audit(
        &mut self,
        project_path: &Path,
        dependencies: &[DependencyInfo],
    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
        // Check if pnpm is available
        let pnpm_status = self.tool_detector.detect_tool("pnpm");
        if !pnpm_status.available {
            warn!("pnpm not found, skipping pnpm audit");
            return Ok(None);
        }
        
        info!("Executing pnpm audit in {}", project_path.display());
        
        // Execute pnpm audit --json
        let output = Command::new("pnpm")
            .args(&["audit", "--json"])
            .current_dir(project_path)
            .output()
            .map_err(|e| VulnerabilityError::CommandError(
                format!("Failed to run pnpm audit: {}", e)
            ))?;
        
        // pnpm audit behavior: returns 0 even when vulnerabilities are found
        // Non-zero exit code indicates an actual error
        if !output.status.success() && output.stdout.is_empty() {
            return Err(VulnerabilityError::CommandError(
                format!("pnpm audit failed with exit code {}: {}", 
                    output.status.code().unwrap_or(-1),
                    String::from_utf8_lossy(&output.stderr))
            ));
        }
        
        if output.stdout.is_empty() {
            return Ok(None);
        }
        
        // Parse pnpm audit output
        let audit_data: serde_json::Value = serde_json::from_slice(&output.stdout)
            .map_err(|e| VulnerabilityError::ParseError(
                format!("Failed to parse pnpm audit output: {}", e)
            ))?;
        
        self.parse_pnpm_audit_output(&audit_data, dependencies)
    }
    
    fn parse_bun_audit_output(
        &self,
        audit_data: &serde_json::Value,
        dependencies: &[DependencyInfo],
    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
        let mut vulnerable_deps: Vec<VulnerableDependency> = Vec::new();
        
        // Bun audit JSON structure parsing
        if let Some(advisories) = audit_data.get("advisories").and_then(|a| a.as_array()) {
            for advisory in advisories {
                // Extract vulnerability information
                let name = advisory.get("name").and_then(|n| n.as_str()).unwrap_or("").to_string();
                let version = advisory.get("version").and_then(|v| v.as_str()).unwrap_or("").to_string();
                
                let vuln_info = VulnerabilityInfo {
                    id: advisory.get("id").and_then(|i| i.as_str()).unwrap_or("unknown").to_string(),
                    severity: self.parse_severity(advisory.get("severity").and_then(|s| s.as_str())),
                    title: advisory.get("title").and_then(|t| t.as_str()).unwrap_or("").to_string(),
                    description: advisory.get("description").and_then(|d| d.as_str()).unwrap_or("").to_string(),
                    cve: advisory.get("cve").and_then(|c| c.as_str()).map(|s| s.to_string()),
                    ghsa: advisory.get("ghsa").and_then(|g| g.as_array())
                        .and_then(|arr| arr.first())
                        .and_then(|v| v.as_str())
                        .map(|s| s.to_string()),
                    affected_versions: advisory.get("vulnerable_versions").and_then(|v| v.as_str()).unwrap_or("").to_string(),
                    patched_versions: advisory.get("patched_versions").and_then(|p| p.as_str()).map(|s| s.to_string()),
                    published_date: None, // Bun audit may not provide this
                    references: advisory.get("references").and_then(|r| r.as_array())
                        .map(|refs| refs.iter()
                            .filter_map(|r| r.as_str().map(|s| s.to_string()))
                            .collect())
                        .unwrap_or_default(),
                };
                
                // Find matching dependency
                if let Some(dep) = dependencies.iter().find(|d| d.name == name) {
                    // Check if we already have this dependency
                    if let Some(existing) = vulnerable_deps.iter_mut()
                        .find(|vuln_dep| vuln_dep.name == name && vuln_dep.version == version)
                    {
                        existing.vulnerabilities.push(vuln_info);
                    } else {
                        vulnerable_deps.push(VulnerableDependency {
                            name: dep.name.clone(),
                            version: version.clone(),
                            language: Language::JavaScript,
                            vulnerabilities: vec![vuln_info],
                        });
                    }
                }
            }
        }
        
        if vulnerable_deps.is_empty() {
            Ok(None)
        } else {
            Ok(Some(vulnerable_deps))
        }
    }
    
    fn parse_npm_audit_output(
        &self,
        audit_data: &serde_json::Value,
        dependencies: &[DependencyInfo],
    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
        let mut vulnerable_deps: Vec<VulnerableDependency> = Vec::new();
        
        // NPM audit JSON structure parsing
        if let Some(actions) = audit_data.get("actions").and_then(|a| a.as_array()) {
            for action in actions {
                if let Some(resolves) = action.get("resolves").and_then(|r| r.as_array()) {
                    for resolve in resolves {
                        let name = resolve.get("name").and_then(|n| n.as_str()).unwrap_or("").to_string();
                        let version = resolve.get("version").and_then(|v| v.as_str()).unwrap_or("").to_string();
                        
                        // Get advisory details
                        let advisory_id = resolve.get("id").and_then(|i| i.as_u64()).unwrap_or(0);
                        
                        // Find the advisory in the advisories section
                        if let Some(advisories) = audit_data.get("advisories").and_then(|a| a.as_object()) {
                            if let Some(advisory) = advisories.get(&advisory_id.to_string()) {
                                let vuln_info = VulnerabilityInfo {
                                    id: advisory.get("id").and_then(|i| i.as_u64())
                                        .map(|id| id.to_string())
                                        .unwrap_or("unknown".to_string()),
                                    severity: self.parse_severity(advisory.get("severity").and_then(|s| s.as_str())),
                                    title: advisory.get("title").and_then(|t| t.as_str()).unwrap_or("").to_string(),
                                    description: advisory.get("overview").and_then(|o| o.as_str()).unwrap_or("").to_string(),
                                    cve: advisory.get("cves").and_then(|c| c.as_array())
                                        .and_then(|arr| arr.first())
                                        .and_then(|v| v.as_str())
                                        .map(|s| s.to_string()),
                                    ghsa: advisory.get("github_advisory_id").and_then(|g| g.as_str()).map(|s| s.to_string()),
                                    affected_versions: advisory.get("vulnerable_versions").and_then(|v| v.as_str()).unwrap_or("").to_string(),
                                    patched_versions: advisory.get("patched_versions").and_then(|p| p.as_str()).map(|s| s.to_string()),
                                    published_date: advisory.get("publish_time")
                                        .and_then(|d| d.as_u64())
                                        .and_then(|timestamp| {
                                            use chrono::TimeZone;
                                            chrono::Utc.timestamp_opt(timestamp as i64, 0).single()
                                        }),
                                    references: advisory.get("references").and_then(|r| r.as_array())
                                        .map(|refs| refs.iter()
                                            .filter_map(|r| r.as_str().map(|s| s.to_string()))
                                            .collect())
                                        .unwrap_or_default(),
                                };
                                
                                // Find matching dependency
                                if let Some(dep) = dependencies.iter().find(|d| d.name == name) {
                                    // Check if we already have this dependency
                                    if let Some(existing) = vulnerable_deps.iter_mut()
                                        .find(|vuln_dep| vuln_dep.name == name && vuln_dep.version == version)
                                    {
                                        existing.vulnerabilities.push(vuln_info);
                                    } else {
                                        vulnerable_deps.push(VulnerableDependency {
                                            name: dep.name.clone(),
                                            version: version.clone(),
                                            language: Language::JavaScript,
                                            vulnerabilities: vec![vuln_info],
                                        });
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        
        if vulnerable_deps.is_empty() {
            Ok(None)
        } else {
            Ok(Some(vulnerable_deps))
        }
    }
    
    fn parse_yarn_audit_output(
        &self,
        audit_data: &serde_json::Value,
        dependencies: &[DependencyInfo],
    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
        let mut vulnerable_deps: Vec<VulnerableDependency> = Vec::new();
        
        // Yarn audit JSON structure parsing
        if let Some(data) = audit_data.get("data").and_then(|d| d.as_object()) {
            if let Some(vulnerabilities) = data.get("vulnerabilities").and_then(|v| v.as_array()) {
                for vulnerability in vulnerabilities {
                    let name = vulnerability.get("name").and_then(|n| n.as_str()).unwrap_or("").to_string();
                    let version = vulnerability.get("version").and_then(|v| v.as_str()).unwrap_or("").to_string();
                    
                    let vuln_info = VulnerabilityInfo {
                        id: vulnerability.get("advisory").and_then(|a| a.get("id"))
                            .and_then(|i| i.as_u64())
                            .map(|id| id.to_string())
                            .unwrap_or("unknown".to_string()),
                        severity: self.parse_severity(vulnerability.get("severity").and_then(|s| s.as_str())),
                        title: vulnerability.get("advisory").and_then(|a| a.get("title"))
                            .and_then(|t| t.as_str())
                            .unwrap_or("")
                            .to_string(),
                        description: vulnerability.get("advisory").and_then(|a| a.get("description"))
                            .and_then(|d| d.as_str())
                            .unwrap_or("")
                            .to_string(),
                        cve: vulnerability.get("advisory").and_then(|a| a.get("cves"))
                            .and_then(|c| c.as_array())
                            .and_then(|arr| arr.first())
                            .and_then(|v| v.as_str())
                            .map(|s| s.to_string()),
                        ghsa: vulnerability.get("advisory").and_then(|a| a.get("github_advisory_id"))
                            .and_then(|g| g.as_str())
                            .map(|s| s.to_string()),
                        affected_versions: vulnerability.get("advisory").and_then(|a| a.get("vulnerable_versions"))
                            .and_then(|v| v.as_str())
                            .unwrap_or("")
                            .to_string(),
                        patched_versions: vulnerability.get("advisory").and_then(|a| a.get("patched_versions"))
                            .and_then(|p| p.as_str())
                            .map(|s| s.to_string()),
                        published_date: vulnerability.get("advisory").and_then(|a| a.get("publish_time"))
                            .and_then(|d| d.as_u64())
                            .and_then(|timestamp| {
                                use chrono::TimeZone;
                                chrono::Utc.timestamp_opt(timestamp as i64, 0).single()
                            }),
                        references: vulnerability.get("advisory").and_then(|a| a.get("references"))
                            .and_then(|r| r.as_array())
                            .map(|refs| refs.iter()
                                .filter_map(|r| r.as_str().map(|s| s.to_string()))
                                .collect())
                            .unwrap_or_default(),
                    };
                    
                    // Find matching dependency
                    if let Some(dep) = dependencies.iter().find(|d| d.name == name) {
                        // Check if we already have this dependency
                        if let Some(existing) = vulnerable_deps.iter_mut()
                            .find(|vuln_dep| vuln_dep.name == name && vuln_dep.version == version)
                        {
                            existing.vulnerabilities.push(vuln_info);
                        } else {
                            vulnerable_deps.push(VulnerableDependency {
                                name: dep.name.clone(),
                                version: version.clone(),
                                language: Language::JavaScript,
                                vulnerabilities: vec![vuln_info],
                            });
                        }
                    }
                }
            }
        }
        
        if vulnerable_deps.is_empty() {
            Ok(None)
        } else {
            Ok(Some(vulnerable_deps))
        }
    }
    
    fn parse_pnpm_audit_output(
        &self,
        audit_data: &serde_json::Value,
        dependencies: &[DependencyInfo],
    ) -> Result<Option<Vec<VulnerableDependency>>, VulnerabilityError> {
        // PNPM audit output is similar to NPM
        self.parse_npm_audit_output(audit_data, dependencies)
    }
    
    fn parse_severity(&self, severity: Option<&str>) -> VulnerabilitySeverity {
        match severity.map(|s| s.to_lowercase()).as_deref() {
            Some("critical") => VulnerabilitySeverity::Critical,
            Some("high") => VulnerabilitySeverity::High,
            Some("moderate") => VulnerabilitySeverity::Medium,
            Some("medium") => VulnerabilitySeverity::Medium,
            Some("low") => VulnerabilitySeverity::Low,
            _ => VulnerabilitySeverity::Medium, // Default to medium if not specified
        }
    }
}

impl MutableLanguageVulnerabilityChecker for JavaScriptVulnerabilityChecker {
    fn check_vulnerabilities(
        &mut self,
        dependencies: &[DependencyInfo],
        project_path: &Path,
    ) -> Result<Vec<VulnerableDependency>, VulnerabilityError> {
        info!("Checking JavaScript/TypeScript dependencies");
        
        let runtime_detector = RuntimeDetector::new(project_path.to_path_buf());
        let _detection_result = runtime_detector.detect_js_runtime_and_package_manager();
        
        info!("Runtime detection: {}", runtime_detector.get_detection_summary());
        
        // Get all available package managers
        let available_managers = runtime_detector.detect_all_package_managers();
        
        // Execute audit commands for each available manager
        let mut all_vulnerabilities = Vec::new();
        
        for manager in available_managers {
            if let Some(vulns) = self.execute_audit_for_manager(&manager, project_path, dependencies)? {
                all_vulnerabilities.extend(vulns);
            }
        }
        
        Ok(all_vulnerabilities)
    }
}